> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/start-here/guides/how-to-fix-a-blocked-endpoint-in-your-workflow.md). # How to Fix a Blocked Endpoint in Your Workflow If your GitHub Actions build fails because Harden-Runner blocked an outbound network call, here's how to resolve it. ### **Why This Happened** Your workflow has Harden-Runner configured with `egress-policy: block` and a list of `allowed-endpoints`. The workflow tried to reach an endpoint (domain + port) that isn't on the allowed list, so Harden-Runner blocked the connection to prevent potential data exfiltration. This is Harden-Runner working as intended. The fix depends on whether the blocked endpoint is legitimate. #### **Step 1: Find the Blocked Endpoint** Open the failed workflow run in GitHub. In the job summary, click the Harden-Runner insights link to open the Insights page. Go to the **Network Events** tab. Look for events with a **Blocked** status. Note the destination endpoint (e.g., `registry.npmjs.org:443`) and which workflow step triggered the call. #### **Step 2: Determine if It's Legitimate** Ask yourself: * Does this endpoint belong to a known service? (Package registry, cloud provider, CDN, API) * Does the step that triggered it logically need this connection? (A dependency installation step calling npm registry is expected; a test step calling an unknown external API is not) * Did you recently update a dependency or add a new GitHub Action that might introduce new endpoints? If you can explain the endpoint, it's safe to add it to the allowed list. #### **Step 3: Add the Endpoint** Open your workflow YAML file and add the endpoint to the `allowed-endpoints` list: ```yaml - uses: step-security/harden-runner@v2 with: egress-policy: block allowed-endpoints: > github.com:443 api.github.com:443 registry.npmjs.org:443 ``` Commit, push, and re-run the workflow. Alternatively, if your organization uses **Policy Store**, ask your security team to add the endpoint there. This avoids modifying the workflow YAML directly. #### **Step 4: If It Looks Suspicious** If you can't explain why the endpoint is being called: * Do **not** add it to the allowed list * Check if a recent dependency update introduced the call * Notify your security team * Consider reverting the most recent dependency changes and re-running the workflow to see if the blocked call disappears **Prevention** When a new dependency or action is added to a workflow, run it in `egress-policy: audit` mode first to discover any new endpoints before switching to block mode. Check the **Recommended Policy** tab on the Insights page for an updated endpoint list. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.stepsecurity.io/start-here/guides/how-to-fix-a-blocked-endpoint-in-your-workflow.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.